[tatterdemalion]

I think that semver encourages unaudited updates by acting as a substitute for auditing in practice. Obviously the spec doesn't say that you should blindly accept all bugfix updates, but in practice many people do. I often do.

[davnn]

Everyone does and I don't think we will be able to change that.

It would be nice if there would be a tool that would allow developers to mark a new release as safe. Every package would have it's social safety score and you could decide if you want to investigate a release further.

[jrochkind1]

What do you mean by 'safe'? There is such a tool built-into semver -- it's releasing with a patch or minor version bump! Which means it should be entirely backwards compatible with the previous release. Do you mean something else by 'safe'?

I think the issue parent is worried about is if you can't trust the author's declaration of safety.

[matt_kantor]

I think davnn meant a voting mechanism to allow other devs (besides the package's publisher) to vouch for its safety.

At least that's how I interpreted "social safety score".

[jrochkind1]

Ah, I see. I guess that might be interesting. I suspect it would have to get very complicated supporting 'chains of trust' and possibly crypto implementation, to avoid gaming by someone who wanted to make their dangerous code look voted "safe" by lots of people.

[davnn]

Exactly!